recommended reading

5 Ways to Spot a Coerced Insider Threat

Andrea Danti/


By William Senich October 22, 2015

recent posts

William Senich is corporate vice president for global cyber solutions at Alion Science and Technology.

The scariest part of the Office of Personnel Management data breach isn’t that hackers have the data – it’s what they plan to do with it.

The sheer amount of personal information seized, allegedly by a Chinese espionage operation, has grabbed headlines for months. We know there are nearly 22 million Americans who had their data stolen. We also now know that nearly 6 million people had their fingerprint data stolen, leading to a host of new national security issues.

While the fact that this data has been stolen is scary, the bigger question is what will the hackers do with it?

When a large corporation is hacked for personal information, it usually takes the form of recent incidents at Home Depot or Target where customers’ credit card information is stolen and used by perpetrators for fraudulent purposes. Specifically, those who stole the credit card information were making unauthorized purchases or taking out cash against the credit line.  

It is those outcomes that led the government to offer free credit reporting and protection for those involved in the OPM hack. But the motivation behind swiping the information of more than 22 million federal employees, contractors and partners could be more sinister.

There are myriad reasons why this personal information could be so valuable to foreign actors. They could use this information to spy on Americans. They could share this information with allies or sell it to terrorists. They could use this information to expose American spies abroad. They could also use this information to create new insider threats on American soil.

We typically think of insider threats as self-motivated – for instance, selling IP or national secrets for financial gain – but that is not always the case. A subset of insider threat is the “coerced threat,” where an individual has been pressured into malicious activities by a hacker who has used the threat of exposing personal information as leverage. While this is a traditionally rare form of insider threat, it is unfortunately a new reality we must be prepared for.

For example, if an individual were in financial trouble, a hacker would classify him or her as a high-value target and ply them with money in exchange for classified information. The coerced threat, in theory, would be undetectable because the employee is in good standing, trusted and not worried about as a threat internally.

The National Insider Threat Policy outlines how government agencies need to monitor for threats, and it is highly recommended all federal agencies deploy third-party software to perform instant analysis of data. However, agencies need to look beyond data analysis and become more proactive in how they evaluate employees to account for a coerced threat.

In particular, a coerced threat differs from a traditional insider threat in terms of how the threat would be identified. For traditional insider threat risk, there are traditional warning signs – reduced loyalty, lack of empathy or a pattern of poor behavior – that easily cause warning signs.

But for a coerced threat, their outward behavior will likely not change at all. This is where agencies must look out for behaviors that are normal in isolation but are cause for concern taken in totality.

Here are five behavioral indicators that could indicate an employee in good standing has been coerced.

  • Remotely accesses the network while on vacation, sick or at odd times
  • Works odd hours without authorization
  • Notable enthusiasm for overtime, weekend or unusual work schedules.
  • Unnecessarily copies materials, especially if proprietary
  • Interest in matters outside the scope of their duties

If you have an employee or contractor remotely accessing the network on vacation, that may not be cause for concern. But if that same person is also working odd hours without authorization, that should raise suspicions and potentially prompt an investigation.

As federal agencies ramp up their insider threat detection over the next year, they need to always keep the notion of a coerced threat in mind. The ways insider attacks are carried out are ever-changing. That means the way insider threats are detected must as well.

(Image via Andrea Danti/


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.